From fa90230300e390601e3fbb15c322a7e84e1ca185 Mon Sep 17 00:00:00 2001 From: chrislu Date: Sun, 24 Aug 2025 11:42:00 -0700 Subject: [PATCH] feat: Add IAM config flag to S3 command - Add -iam.config flag to support advanced IAM configuration - Enable S3 server to start with IAM integration when config is provided - Allows JWT Bearer token authentication for S3 operations --- weed/command/s3.go | 53 ++++++++++++++++++++++++++++++++++------------ 1 file changed, 39 insertions(+), 14 deletions(-) diff --git a/weed/command/s3.go b/weed/command/s3.go index 027bb9cd0..9e487bab0 100644 --- a/weed/command/s3.go +++ b/weed/command/s3.go @@ -40,6 +40,7 @@ type S3Options struct { portHttps *int portGrpc *int config *string + iamConfig *string domainName *string allowedOrigins *string tlsPrivateKey *string @@ -69,6 +70,7 @@ func init() { s3StandaloneOptions.allowedOrigins = cmdS3.Flag.String("allowedOrigins", "*", "comma separated list of allowed origins") s3StandaloneOptions.dataCenter = cmdS3.Flag.String("dataCenter", "", "prefer to read and write to volumes in this data center") s3StandaloneOptions.config = cmdS3.Flag.String("config", "", "path to the config file") + s3StandaloneOptions.iamConfig = cmdS3.Flag.String("iam.config", "", "path to the advanced IAM config file") s3StandaloneOptions.auditLogConfig = cmdS3.Flag.String("auditLogConfig", "", "path to the audit log config file") s3StandaloneOptions.tlsPrivateKey = cmdS3.Flag.String("key.file", "", "path to the TLS private key file") s3StandaloneOptions.tlsCertificate = cmdS3.Flag.String("cert.file", "", "path to the TLS certificate file") @@ -237,20 +239,43 @@ func (s3opt *S3Options) startS3Server() bool { if s3opt.localFilerSocket != nil { localFilerSocket = *s3opt.localFilerSocket } - s3ApiServer, s3ApiServer_err := s3api.NewS3ApiServer(router, &s3api.S3ApiServerOption{ - Filer: filerAddress, - Port: *s3opt.port, - Config: *s3opt.config, - DomainName: *s3opt.domainName, - AllowedOrigins: strings.Split(*s3opt.allowedOrigins, ","), - BucketsPath: filerBucketsPath, - GrpcDialOption: grpcDialOption, - AllowEmptyFolder: *s3opt.allowEmptyFolder, - AllowDeleteBucketNotEmpty: *s3opt.allowDeleteBucketNotEmpty, - LocalFilerSocket: localFilerSocket, - DataCenter: *s3opt.dataCenter, - FilerGroup: filerGroup, - }) + var s3ApiServer *s3api.S3ApiServer + var s3ApiServer_err error + + // Use enhanced S3 server with IAM if config is provided + if *s3opt.iamConfig != "" { + glog.V(0).Infof("Starting S3 API Server with advanced IAM integration") + s3ApiServer, s3ApiServer_err = s3api.NewS3ApiServerWithIAM(router, &s3api.S3ApiServerOption{ + Filer: filerAddress, + Port: *s3opt.port, + Config: *s3opt.config, + DomainName: *s3opt.domainName, + AllowedOrigins: strings.Split(*s3opt.allowedOrigins, ","), + BucketsPath: filerBucketsPath, + GrpcDialOption: grpcDialOption, + AllowEmptyFolder: *s3opt.allowEmptyFolder, + AllowDeleteBucketNotEmpty: *s3opt.allowDeleteBucketNotEmpty, + LocalFilerSocket: localFilerSocket, + DataCenter: *s3opt.dataCenter, + FilerGroup: filerGroup, + }, *s3opt.iamConfig) + } else { + // Use standard S3 server + s3ApiServer, s3ApiServer_err = s3api.NewS3ApiServer(router, &s3api.S3ApiServerOption{ + Filer: filerAddress, + Port: *s3opt.port, + Config: *s3opt.config, + DomainName: *s3opt.domainName, + AllowedOrigins: strings.Split(*s3opt.allowedOrigins, ","), + BucketsPath: filerBucketsPath, + GrpcDialOption: grpcDialOption, + AllowEmptyFolder: *s3opt.allowEmptyFolder, + AllowDeleteBucketNotEmpty: *s3opt.allowDeleteBucketNotEmpty, + LocalFilerSocket: localFilerSocket, + DataCenter: *s3opt.dataCenter, + FilerGroup: filerGroup, + }) + } if s3ApiServer_err != nil { glog.Fatalf("S3 API Server startup error: %v", s3ApiServer_err) }